Case Details
- Citation: [2018] SGPDPC 20
- Court: Personal Data Protection Commission
- Date: 2018-08-21
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Dimsum Property Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 20
- Judgment Length: 4 pages, 882 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Dimsum Property Pte. Ltd. (the "Organisation") failed to make reasonable security arrangements to protect the personal data of its customers, in breach of section 24 of the Personal Data Protection Act 2012 (PDPA). The Organisation had allowed public access to sensitive personal information, including identification documents, through its website. While the Organisation took prompt action to remove the data and ceased operations of the website, the PDPC issued a warning to the Organisation for the breach.
What Were the Facts of This Case?
The case concerned a complaint filed by a member of the public about the failure of Dimsum Property Pte. Ltd. to protect the personal data of individuals in its possession. The Organisation operated a website, www.snappyhouse.com.sg, which provided a platform for homeowners to sell and rent out property.
The complainant had discovered that images of identification documents were publicly accessible through two web directories on the Organisation's website: the "Avatar Directory" and the "Identity Directory". The Avatar Directory contained profile photos uploaded by users, including one passport image, while the Identity Directory contained identification documents of 30 registered users that had been uploaded for verification purposes.
In total, the personal data of 31 individuals was publicly accessible, including their names, photographs, addresses, passport numbers, NRIC numbers, thumbprints, dates of birth, places of birth, gender, nationality, and passport issue/expiry dates.
The Organisation had initially engaged an overseas vendor to design and develop the website in 2015, but later took over the development and administration in-house in 2016. However, the website had not been further updated since July 2016, and users continued to use its functions until March 2018. The website was eventually taken down by the Organisation on 24 May 2018.
What Were the Key Legal Issues?
The key legal issue was whether the Organisation had made reasonable security arrangements to protect the personal data of its customers, as required under section 24 of the PDPA. Section 24 obliges organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
The PDPC had to determine whether the Organisation's actions, or lack thereof, amounted to a breach of its obligations under the PDPA. Specifically, the PDPC needed to assess whether the Organisation had taken adequate steps to secure the personal data stored on its website and prevent public access to sensitive information.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession and control. The Organisation admitted that it was unaware of the need to protect the personal data stored in the web directories, which resulted in the data being publicly accessible.
The PDPC noted that the Organisation should have implemented access controls to limit web access to the directories containing the personal data. By allowing the identification documents and other sensitive information to be publicly viewable, the Organisation had breached its obligations under section 24 of the PDPA.
In reaching this conclusion, the PDPC considered the fact that no personal data had been transferred to the initial website vendor, and therefore the full responsibility for the IT security of the website and the personal data rested with the Organisation. The PDPC found that the Organisation's lack of awareness and failure to implement appropriate security measures directly led to the breach.
What Was the Outcome?
Having found the Organisation in breach of section 24 of the PDPA, the PDPC decided to issue a warning to the Organisation. The PDPC took into account several mitigating factors, including the Organisation's prompt action to remove the personal data from public access, the relatively small number of individuals affected (31), the limited impact of the breach, and the fact that the Organisation had ceased operations of the website.
While the PDPC could have imposed a financial penalty on the Organisation, it determined that a warning was the appropriate enforcement action in this case, given the specific circumstances. The PDPC did not issue any further directions to the Organisation.
Why Does This Case Matter?
This case is significant as it highlights the importance of organisations complying with their obligations under the PDPA to protect the personal data in their possession or control. The PDPC's decision emphasizes that organisations must be proactive in implementing reasonable security measures to safeguard sensitive personal information, even if they have outsourced the development or administration of their digital platforms.
The case serves as a reminder that a failure to adequately secure personal data can result in regulatory action, even if the breach is relatively limited in scope. Organisations must remain vigilant and continuously review the security of their systems to ensure compliance with the PDPA's protection obligations.
Furthermore, this decision provides guidance on the factors the PDPC will consider when determining the appropriate enforcement action, such as the promptness of the organisation's response, the number of individuals affected, and the overall impact of the breach. This insight can help organisations understand the PDPC's approach and better prepare for potential data protection compliance issues.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 20
Source Documents
This article analyses [2018] SGPDPC 20 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.